[c-nsp] PIX-virus-DoS-connection problem
Marcelo Maraboli
marcelo.maraboli at usm.cl
Thu Nov 11 14:20:59 EST 2004
Rick
The anti-spoof feature is not through ACLs, but an Internal PIX
feature in 6.2(2):
ip verify reverse-path interface outside
ip verify reverse-path interface inside
and yes, I do have turbo-acl activated.
regards,
Cheung, Rick wrote:
> Do you have TurboACL configured for the anti-spoof ACLs you
> mentioned?
>
> That should help cap CPU consumption.
>
>
>
> Rick Cheung
>
> -----Original Message-----
> From: Marcelo Maraboli [mailto:marcelo.maraboli at usm.cl]
> Sent: Thursday, November 11, 2004 11:02 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] PIX-virus-DoS-connection problem
>
>
> Hello Admins
>
> We have 2 525 PIX in failover mode with an unexpected behavior.
>
> Yesterday, a virus/worm (probably a Kazaa worm) infected one of
> our PC ans started to generate 48 IP spoofed packets per second to
> a list of destinations (I suppose other Kazaa members).
>
> Since our PIX is configured to drop Spoofed IP packets on the
> Inside and Outside interfaces, the CPU went up to 92% and the
> number of "active connections" was increasing at a linear rate.
>
> Even though this traffic did not reach the border router, these
> packets were indeed dropped by the PIX, but the number of connections
> and CPU were NOT NORMAL.
>
> After we unpluged the infected PC, the PIX CPU went back to
> normal, but the number of active connections (reported by SNMP)
> still was rising. I waited more than 1 hour (default idle connection
> timeout) and still nothing...
>
> I have this graphed at:
> http://elqui.dcsc.utfsm.cl/tmp/Cisco%20PIX%20525%20Primary-Active.htm
>
> we are using PIX version 6.2(2). Using PDM I graphed the CPU
> and number of connections at:
>
> http://elqui.dcsc.utfsm.cl/tmp/conn.jpg
> http://elqui.dcsc.utfsm.cl/tmp/cpu.jpg
>
> Is this a PIX malfunction and does not reset the SNMP
> connections counters ?? (since the PDM graph differs)
>
> anyone else experienced this ?
>
> thanks,
> --
> Marcelo Maraboli Rosselott
> Jefe Area de Redes y Comunicaciones (Network & UNIX Systems Engineer)
> Ingeniero Civil Electronico (Electronic Engineer)
>
> Direccion Central de Servicios Computacionales (DCSC)
> Universidad Tecnica Federico Santa Maria, Chile.
> phone: +56 32 654237
> mailto: marcelo.maraboli @ usm.cl http://elqui.dcsc.utfsm.cl/
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> This message, including any attachments, contains confidential
> information intended for a specific
> individual and purpose and is protected by law. If you are not the
> intended recipient, please contact
> sender immediately by reply e-mail and destroy all copies.
> You are hereby notified that any disclosure, copying, or distribution of
> this message, or the taking
> of any action based on it, is strictly prohibited.
>
> WARNING: Computer viruses can be transmitted via email. The recipient
> should check this email
> and any attachments for the presence of viruses. The sender accepts no
> liability for any damage
> caused by any virus transmitted by this email. E-mail transmission
> cannot be guaranteed
> to be secure or error-free as information could be intercepted,
> corrupted, lost, destroyed, arrive
> late or incomplete, or contain viruses. The sender therefore does not
> accept liability for any errors
> or omissions in the contents of this message, which arise as a result of
> e-mail transmission.
>
--
Marcelo Maraboli Rosselott
Jefe Area de Redes y Comunicaciones (Network & UNIX Systems Engineer)
Ingeniero Civil Electronico (Electronic Engineer)
Direccion Central de Servicios Computacionales (DCSC)
Universidad Tecnica Federico Santa Maria, Chile.
phone: +56 32 654237
mailto: marcelo.maraboli @ usm.cl http://elqui.dcsc.utfsm.cl/
More information about the cisco-nsp
mailing list